Wyoming Residents' Covid Test Results Exposed Online
After an employee mistake, the Wyoming Health Department posted the Covid-19 test results of nearly 165 thousand state citizens on a storage space exposed to anyone with an active Internet connection.
The WHD made a formal announcement about the security hiccup in late April. A WHD employee seems to have uploaded the Covid test result data of roughly a quarter of the state's population on a bucket that was completely unsecured.
As it happens with a lot of data leaks, the information remained exposed for a long time after the incident. The data was put online nearly six months ago and the security issue was discovered only in mid-March.
The leaky database did not contain just Covid test results. Alcohol level breath analyzer results of over 18 thousand people were also among the unsecured files. The records also included patient names or ID numbers, birth dates and home addresses.
The Covid test results spanned a period between early 2020 and March 2021. The breath analyzer results in the leaky database were collected between 2012 and 2021 - a significant time frame.
Similar occurrences are not rare, sadly. A Threatpost story reminded readers that in December 2020 a staggering 45 million pieces of medical imagery were exposed to whatever bad actors were interested in them, due to a poorly secured server.
Even though the Wyoming Health Department reassured the public that there was no financial, bank-related, social security or health insurance data involved in the leak, this does not make the case any less significant. Bad actors can use sensitive and personally identifiable information obtained in similar leaks for a number of illegal purposes, ranging from fraud to blackmail.
The fact that this entire incident became a reality as a result of a relatively simple human error brings to light the need to educate all staff and to create a very strong awareness of the importance of cyber security on all levels of an organization, not just inside the IT department.
The WDH is doing its best to clean up the digital mess, with all unsecured files already deleted from the exposed GitHub repository and staff being trained again in digital security. Sadly, there is no guarantee that in a few weeks' time, another unrelated organization will not suffer a similar hiccup.